CISA gives federal agencies three days to patch actively exploited Dell bug

Steven

CISA gives federal agencies three days to patch actively exploited Dell bug

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-22769 to its Known Exploited Vulnerabilities (KEV) catalogue and ordered civilian federal agencies to remediate affected systems by 21 February 2026 — a three-day window from the advisory.

The flaw impacts Dell RecoverPoint for Virtual Machines and is caused by hardcoded credentials that permit unauthorised access. Dell released a patch earlier in the week after reports of limited active exploitation.

Security researchers, including Google’s Mandiant team, report the vulnerability has been abused since at least mid-2024 by suspected China-linked operators to move laterally, persist and deploy malware. Observed tooling includes the Brickstorm backdoor, Grimbolt implant and Slaystyle, and attackers have used “Ghost NICs” on virtual machines to evade detection. Mandiant has associated a cluster tracked as UNC6201 with the activity and reports fewer than a dozen confirmed victims so far, though the full scope may be larger.

CISA’s directive continues a recent pattern of very short remediation deadlines for actively exploited flaws, underscoring the urgency for organisations to apply fixes quickly.

Key Points

  • CISA added CVE-2026-22769 to the KEV list and gave federal civilian agencies until 2026-02-21 to patch.
  • The vulnerability is in Dell RecoverPoint for Virtual Machines and arises from hardcoded credentials allowing unauthorised access.
  • Dell issued fixes after confirming limited active exploitation prior to the patch being available.
  • Mandiant links exploitation since mid-2024 to suspected China-nexus operators deploying Brickstorm, Grimbolt and Slaystyle, and using “Ghost NICs” to pivot stealthily.
  • UNC6201 is tracked as a cluster using the flaw; Mandiant reports fewer than a dozen confirmed victims but warns the true number may be higher.
  • CISA’s three-day remediation order follows a trend of rapid patch deadlines aimed at shrinking exposure windows for active exploits.

Why should I read this?

Short version: if you run RecoverPoint or manage VMs, stop what you’re doing and patch — CISA’s given three days and attackers have been quietly exploiting this for espionage. We’ve done the digging so you don’t have to: know the risk, the timeline and the likely adversary tooling.

Source

Source: https://www.theregister.com/2026/02/20/cisa_dell_vulnerability/